Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
0
Helpful
8
Replies

ZBF and loopback interfaces

Go to solution
fsebera
Level 4
Level 4

‎04-15-2015 09:13 AM - edited ‎03-11-2019 10:46 PM

 

In my ZBF setup, I assign the physical and logical interface (tunnel) to different zones.

I.E. G0/0 is Trusted zone and Tunnel1 is assigned to a Tunnel zone.

Dynamic NAT is tied to the Loopback1 interface but this interface is not assigned to a zone.

My setup is fully function but am now wondering if I missed something BIG.  My understanding is ALL interfaces MUST be assigned to a zone to enable INTER-zone and INTRA-zone communications. Perhaps this rule does not apply to traffic originating from the router itself.

 

My questions is, do loopback interfaces need to be assigned to a zone to communicate with other zones on the same router?

 

Thanks

Frank

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to fsebera

‎04-15-2015 03:11 PM

you don't need to have loop back into any zone.

 

When traffic will come from trusted to tunnel, it will represent source from trusted and destination tunnel, even if the traffic changes its source IP address to NAT IP.

 

You just need to make sure that your traffic is allowed from trusted to tunnel and tunnel to trusted if traffic is coming back tunneled.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Pranay Prasoon
Level 3
Level 3

‎04-15-2015 11:28 AM

Nope..if self zone is not configured on router, then loopback belongs to router and you don't need it in a zone to communicate to other zone.

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Pranay Prasoon

‎04-15-2015 11:38 AM

 

Sorry, I should have indicated I have a self zone configured (albeit perhaps incorrectly :()

I don't want to impose but I could provide my config for review!!!

Thanks

Frank

0 Helpful

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to fsebera

‎04-15-2015 11:40 AM

okay...but do change your IP scheme

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Pranay Prasoon

‎04-15-2015 01:14 PM

Already SANITIZED due to backend private connections!!!!

 

R10# sh run
! Last configuration change at 16:48:12 EST Tue Apr 14 2015 by ?
! NVRAM config last updated at 16:48:15 EST Tue Apr 14 2015 by ?
! NVRAM config last updated at 16:48:15 EST Tue Apr 14 2015 by ?
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname R10
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.151-4.M10.bin
boot-end-marker
!
logging userinfo
logging buffered 32768
!
clock timezone EST -5 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1637678459
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1637678459
 revocation-check none
 rsakeypair TP-self-signed-1637678459
!
crypto pki certificate chain TP-self-signed-1637678459
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  --snip--
        quit
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip dhcp bootp ignore
!
ip cef
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
!
vtp version 2
username ? privilege 15 password --gone--
!
redundancy
!
ip tcp selective-ack
ip tcp synwait-time 10
ip ssh time-out 20
ip ssh version 2
!
class-map type inspect match-all TELNET
 match access-group name TELNET
 match protocol telnet
class-map type inspect match-all OSPF
 match access-group name OSPF
class-map type inspect match-all ISAKMP
 match access-group name ISAKMP
class-map type inspect match-all OUTBOUND
 match protocol icmp
class-map type inspect match-all SSH
 match access-group name SSH
 match protocol ssh
class-map type inspect match-all IPSEC
 match access-group name IPSEC
class-map type inspect match-any WEB
 match protocol http
 match protocol https
class-map type inspect match-all BGP
 match access-group name BGP
class-map type inspect match-any ALLOWED
 match protocol ssh
 match protocol https
 match protocol telnet
 match protocol icmp
 match access-group name HTTP-REDIR
!
policy-map type inspect OUTBOUND
 class type inspect OUTBOUND
  inspect
 class class-default
  pass
policy-map type inspect TO-AWS2
 class type inspect ALLOWED
  inspect
 class class-default
  drop
policy-map type inspect TO-AWS1
 class type inspect ALLOWED
  inspect
 class class-default
  drop
policy-map type inspect INBOUND
 class type inspect IPSEC
  pass
 class type inspect ISAKMP
  pass
 class type inspect OSPF
  pass
 class type inspect BGP
  pass
 class type inspect TELNET
  pass
 class type inspect SSH
  pass
 class type inspect WEB
  pass
 class class-default
  drop
!
zone security TUN1
zone security TUN2
zone security TRUSTED
zone-pair security F0/0->TUN1 source TRUSTED destination TUN1
 service-policy type inspect TO-AWS1
zone-pair security F0/0->TUN2 source TRUSTED destination TUN2
 service-policy type inspect TO-AWS2
zone-pair security INBOUND source TRUSTED destination self
 service-policy type inspect INBOUND
zone-pair security OUTBOUND source self destination TRUSTED
 service-policy type inspect OUTBOUND
!
crypto keyring KEYRING-VPN-344BFC4B-0
  local-address 192.168.90.1
  pre-shared-key address 192.168.0.34 key --gone--
crypto keyring KEYRING-VPN-344BFC4B-1
  local-address 192.168.90.1
  pre-shared-key address 192.168.0.50 key --gone--
!
crypto isakmp policy 200
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 201
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile ISAKMP-VPN-344BFC4B-0
   keyring KEYRING-VPN-344BFC4B-0
   match identity address 192.168.0.34 255.255.255.255
   local-address 192.168.90.1
crypto isakmp profile ISAKMP-VPN-344BFC4B-1
   keyring KEYRING-VPN-344BFC4B-1
   match identity address 192.168.0.50 255.255.255.255
   local-address 192.168.90.1
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set IPSEC-PROP-VPN-344BFC4B-0 esp-aes esp-sha-hmac
crypto ipsec transform-set IPSEC-PROP-VPN-344BFC4B-1 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile IPSEC-VPN-344BFC4B-0
 set transform-set IPSEC-PROP-VPN-344BFC4B-0
 set pfs group2
!
crypto ipsec profile IPSEC-VPN-344BFC4B-1
 set transform-set IPSEC-PROP-VPN-344BFC4B-1
 set pfs group2
!
interface Loopback1
 ip address 172.16.6.1 255.255.255.0
!
interface Tunnel1
 description BORDER1
 ip address xxx.yyy.zzz.22 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 zone-member security TUN1
 ip tcp adjust-mss 1387
 tunnel source 192.168.90.1
 tunnel mode ipsec ipv4
 tunnel destination 192.168.0.34
 tunnel protection ipsec profile IPSEC-VPN-344BFC4B-0
!
interface Tunnel2
 description BORDER2
 ip address xxx.yyy.zzz.18 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 zone-member security TUN2
 ip tcp adjust-mss 1387
 tunnel source 192.168.90.1
 tunnel mode ipsec ipv4
 tunnel destination 192.168.0.50
 tunnel protection ipsec profile IPSEC-VPN-344BFC4B-1
!
interface FastEthernet0/0
 ip address 192.168.90.1 255.255.255.240
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security TRUSTED
 load-interval 30
!
router ospf 110
 router-id 172.16.6.1
 redistribute bgp 6 subnets route-map AWS-NETS
 passive-interface default
 no passive-interface FastEthernet0/0
 network xxx.yyy.zzz.16 0.0.0.3 area 64
 network xxx.yyy.zzz.20 0.0.0.3 area 64
 network 172.16.6.0 0.0.0.255 area 64
 network 192.168.90.0 0.0.0.15 area 64
!
router bgp 6
 bgp router-id 172.16.6.1
 bgp log-neighbor-changes
 redistribute ospf 110 route-map OSPF-NETS
 neighbor xxx.yyy.zzz.17 remote-as 10
 neighbor xxx.yyy.zzz.17 description AWS2-Tun2
 neighbor xxx.yyy.zzz.17 soft-reconfiguration inbound
 neighbor xxx.yyy.zzz.17 prefix-list AWS-BORDER2 out
 neighbor xxx.yyy.zzz.21 remote-as 10
 neighbor xxx.yyy.zzz.21 description AWS1-Tun1
 neighbor xxx.yyy.zzz.21 soft-reconfiguration inbound
 neighbor xxx.yyy.zzz.21 prefix-list AWS-BORDER1 out
 maximum-paths 2
!
no ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool LOOP1 172.16.6.1 172.16.6.1 netmask 255.255.255.0
ip nat inside source list HQ-AWS1-AWS2 pool LOOP1 overload
!
ip access-list standard AWS-NETS
 permit 172.16.3.0 0.0.0.255
 permit 172.16.4.0 0.0.0.255
 permit 172.16.5.0 0.0.0.255
!
ip access-list extended HQ-AWS1-AWS2
 deny   tcp host xxx.yyy.zzz.18 eq bgp host xxx.yyy.zzz.17
 deny   tcp host xxx.yyy.zzz.18 host xxx.yyy.zzz.17 eq bgp
 deny   tcp host xxx.yyy.zzz.22 eq bgp host xxx.yyy.zzz.21
 deny   tcp host xxx.yyy.zzz.22 host xxx.yyy.zzz.21 eq bgp
 permit ip any any
!
ip access-list extended HTTP-REDIR
 permit tcp 192.168.2.0 0.0.0.255 host 172.16.5.2 eq 9999
 permit tcp 192.168.2.0 0.0.0.255 host 172.16.5.1 eq 8888
 permit tcp 192.168.1.0 0.0.0.255 host 172.16.5.2 eq 9999
 permit tcp 192.168.1.0 0.0.0.255 host 172.16.5.1 eq 8888
!
ip access-list extended IPSEC
 permit esp any any
!
ip access-list extended ISAKMP
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
!
ip access-list extended OSPF
 permit ospf any any
!
ip access-list extended SSH
 permit tcp 192.168.1.0 0.0.0.255 any eq 22
 permit tcp 192.168.2.0 0.0.0.255 any eq 22
!
ip access-list extended TELNET
 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
 permit tcp 192.168.2.0 0.0.0.255 any eq telnet
!
ip prefix-list AWS-BORDER1 seq 10 permit 172.16.4.0/24
ip prefix-list AWS-BORDER1 seq 30 permit 172.16.6.0/24
!
ip prefix-list AWS-BORDER2 seq 10 permit 172.16.3.0/24
ip prefix-list AWS-BORDER2 seq 30 permit 172.16.6.0/24
!
logging history size 100
logging history debugging
!
access-list 1 permit 2.0.0.0 0.0.0.15
access-list 1 permit 192.168.90.0 0.0.0.255
access-list 1 permit 172.16.6.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
route-map OSPF-NETS permit 10
 match ip address 1
!
route-map AWS-NETS permit 10
 match ip address AWS-NETS
 set tag 10
!
line con 0
 exec-timeout 3 0
 privilege level 15
 password --gone--
 session-limit 2
 logging synchronous
 no vacant-message
 login
 transport preferred telnet
 transport output telnet
 speed 4800
line aux 0
 exec-timeout 0 1
 login
line vty 0 15
 exec-timeout 5 0
 privilege level 15
 password --gone--
 absolute-timeout 15
 session-limit 2
 no vacant-message
 login local
 transport preferred telnet
 transport input telnet ssh
 transport output telnet

0 Helpful

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to fsebera

‎04-15-2015 01:14 PM

okay so just that I am  understanding your requirement correctly,

 

Is the traffic going to come from trusted zone, get NATed with the loop back IP address and go through tunnel interface?

 

 

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Pranay Prasoon

‎04-15-2015 02:12 PM

 

 

YES!!

...... but also traffic ingresses the TRUSTED interface to the router itself.

Thanks

Frank

0 Helpful

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to fsebera

‎04-15-2015 03:11 PM

you don't need to have loop back into any zone.

 

When traffic will come from trusted to tunnel, it will represent source from trusted and destination tunnel, even if the traffic changes its source IP address to NAT IP.

 

You just need to make sure that your traffic is allowed from trusted to tunnel and tunnel to trusted if traffic is coming back tunneled.

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Pranay Prasoon

‎04-16-2015 05:01 AM

 

Thanks Pranay,

 

Thanks for your assistance!

Frank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card